Archive for the ‘scams’ Category

Staying safe on the Internet is challenging. It is technologically easy for nefarious hackers to create emails, web pages, and other documents that look like they are from real, trustworthy entities (e.g., banks, e-commerce sites, or universities).

Be wary of emails or web pages that ask for your username, password, social security number, home address, or other personal information. Check to make sure these requests for information are from legitimate businesses or sources before responding.

Here are some tips for protecting yourself from phishing scams:

Pay attention to the headers in the email (the to field, the from field, the subject field, etc.). Make sure the email is coming from legitimate locations. Recently, a phishing scam attacked Stanford University – in the header, here was the From: “Computing Services” <bskgoprh@stanford.edu>. If this were a legitimate email, it would have likely come from “security@stanford.edu” or “helpsu@stanford.edu” or from Matthew Ricks, head of Computing Services personally.

Never click on a link from within an email. Always open a web browser and manually type in (or copy and paste) the URL yourself. It is easy for “phishers” to make links appear to go one place, but really go someplace else. Just because a link says it’s going to PayPal or some other legitimate location doesn’t necessarily mean it will actually take you there.For example, in the phishing attack that hit Stanford, the phishers used a link that contained part of the real URL (http://axess.stanford.edu), but also contained a number of extra letters and numbers at the end (.student.3hf.be). Pay attention to the URLs in an email and never simply click the link.

Realize that it is easy to create legitimate-looking websites. Victims of the phishing scam that hit Stanford were sent to a website that looked exactly like the real site that people would have gone to if it were legit. Simply because the site LOOKS real doesn’t mean that it is.Pay attention to the URL in the address bar. Does it contain extra letters or substitutions (e.g., 1 for l) that shouldn’t be there?

For example, these are fake:
http://www.paypal.com.someplace.ruhttp://www.paypa1.com

Vigilance is the only defense against social engineering. Look for these markers to know you’re getting ready to divulge too much:

“Here’s your big chance to play the new fantastic version of the [xxx] game!” The link, of course, goes somewhere where they will extract some private information (real name? a password that might work somewhere else? your birthdate in order to prove you are ‘old enough’ to play, etc.). This really is the #1 rule: Avoid clicking links people send you instead of using a search engine to find the proper link.

Anything that sounds too good to be true probably is. It is unlikely that you have won the Irish Sweepstakes, even if you elect to send in a $1,000 security payment.

Any time you get a solicitation in email that you did not request – even from a trusted friend – should be discarded immediately. No reputable company works this way.

Email with misspelled, mispunctuated, or bizarrely formatted text is almost surely a scam.

If something feels like it requires action, confirm via telephone with someone you know (or at least can verify, e.g., by calling the corporate headquarters) before you send money. A recent scam asks for money because your best friend (or aunt or grandmother or …) is caught in Europe (or some faraway place) and can’t return until they pay bail, or a fee, or some other money-requirement. You, the trustworthy friend or relative can help them! Call them at home to make sure they’re not there before sending money.

Any time you are getting ready to feel good about giving away some money or information, think twice: Why am I really doing this? Do I know who is on the other end of my bequest? “Hey, John, please remind me of the combination to get into the machine room.” Who is really asking?

“Please come back to FaceBook!” The link, of course, goes to a FaceBook look-alike which presumably reaps your name and password. Avoid clicking links people send you instead of using a search engine to find the proper link.

“Please call this number to verify [xxx].” You’ll get a recording asking you to leave all sorts of useful information. Don’t even think of calling telephone numbers you can’t verify (perhaps by checking a phone book or institutional phone list) sent to you unsolicited in email.
Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or you will suffer [some horrible thing] See these? Click delete.

Vishing: These same pitches and scams work in airports, for panhandlers, and all sorts of non-computer scammers, too, by the way. They even work when people call you on the phone! “Hey, Jill, this is Ralph over in accounting. I’ve forgotten [xxx], can you help me out?” Look up their number and call them back.

SMSiShing: Same idea for text messages are you phone. Don’t believe a bank will text you; call them on an independently verified number.

Secure your mail. Empty your mailbox quickly, lock it or get a P.O. box so criminals don’t have a chance to steal credit card offers. Never mail outgoing bill payments and checks from an unsecured mailbox, especially at home. They can be stolen from your mailbox and the payee’s name erased with solvents. Mail them from the post office or another secure location.

Safeguard your Social Security number. Never carry your card with you, or any other card that may have your number, like a health insurance card or school issued ID. Don’t put your number on your checks; your SSN is the primary target for identity thieves because it gives them access to your credit report and bank accounts. There are very few entities that can actually demand your SSN – the Department of Motor Vehicles, for example. Also, SSNs are required for transactions involving taxes, so that means banks, brokerages, employers, and the like also have a legitimate need for your SSN.

Safeguard your computer. Protect your computer from viruses and spies. Use complicated passwords; frequently update antivirus software and spyware. Surf the Web cautiously. Shop only at trustworthy web sites and be wary of obscure sites or any site you’ve never used before.

Know who you’re dealing with. Whenever you are contacted, either by phone or email, by individuals identifying themselves as banks, credit card or e-commerce companies and asked for private identity or financial information, do not respond. Legitimate companies do not contact you and ask you to provide personal data such as PINs, user names and passwords or bank account information over the phone or Internet. If you think the request is legitimate, contact the company yourself by calling customer service using the number on your account statement or in the telephone book and confirm what you were told before revealing any of your personal data.

Take your name off marketers’ hit lists. In addition to the national Do Not Call Registry (1-888-382-1222 or https://www.donotcall.gov), you also can reduce credit card solicitations for five years by contacting an opt-out service run by the three major credit bureaus: (888) 5-OPT OUT or https://www.optoutprescreen.com. You’ll need to provide your Social Security number as an identifier.

Be more defensive with personal information. Ask questions whenever anyone asks you for personal data. How will the information be used? Why must I provide this data? Ask anyone who does require your Social Security number — for instance, cell phone providers — what their privacy policy is and whether you can arrange for the organization not to share your information with anyone else.

Monitor your credit report. Each year, obtain and thoroughly review your credit report from the three major credit bureaus, Equifax, Experian and TransUnion (now available annually for free by calling 877-322-8228 or at https://www.annualcreditreport.com) to look for suspicious activity. If you spot something, alert your card company or the creditor immediately.

Review your bank and credit card statements carefully. Look for unauthorized charges or withdrawals and report them immediately. Make sure you recognize the merchants, locations and purchases listed before paying the bill. If you don’t need or use department-store or bank-issued credit cards, consider closing the accounts.

Be aware of how ID thieves can get your information. They get information:

From businesses or other institutions by stealing records, bribing employees with access to records, hacking into computers, or rummaging through trash.

By posing as a landlord, employer, or someone else who may have a legal right to the information.

By stealing credit and debit card numbers as your card is processed by using a special information storage device in a practice known as “skimming.”

By stealing wallets and purses containing identification and credit or bank cards.